Ah- got it... The admin questions were more of a curiosity than anything else... t On 9/22/06 11:51 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh to all: > Yes, that is what I was looking for. It will be more work for the client to > setup initially, (the calling of the process as runas a specific process user) > but that will settle the security concerns. > > As to the 3 questions: > 1) I asked that and the client stated the spec sheets are never updated since > the actual PDF is an image of the original spec sheet created by the part > manufacture. The 3rd party master data store is in essence a spec sheet > clearing house where they go out and find all these data sheets and then index > them with unique ID numbers and create the PDF and then publish it. > 2) When ever a PDF is needed, it is checked locally and if not there then it > is retrieved from the 3rd party and from that point on it is stored locally. > 3) We are talking millions of PDFs here and more are always found, processed > and added to the index. The initial storage space for this one feature is > 500GB with the potential growth in 3 years to reach 1TB. Even using double > sided DVDs would be out of the question. > > > John T > eServices For You > > "Seek, and ye shall find!" > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Friday, September 22, 2006 10:01 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: How to on ISA 2006 > > It¹s John though, so let¹s give this one a go... > > We¹ve got an internal server that needs to download content on demand and > write it to a shared folder for internal use. Only this ³process² should have > write access to the share (everyone else is read only), and only the PDF¹s > from the trusted host should be written. > > There are administrative questions I have in general that don¹t speak to > solving the problem, but I¹ve got to ask them: > 1. what happens if a PDF gets updated by the main server? How will the ³new² > content be downloaded? > 2. why store the content locally in the first place when the client can dl it > right from the source? > 3. Why not just get a DVD of the PDF¹s from the source? > > [So, let¹s ignore those for now..] > > Jim skipped over some steps in his answer, but yes, ISA can¹t determine the > original source of a document that someone may want to upload to a share once > they¹ve got it on the local host. But we may be able to combine some > mechanisms to arrive at a solution. > > Obviously, the main threat is that the current config allows IIS¹ anonymous > access user to write to a shared directory. An attacker could leverage this > to upload malicious content to the server and own assets. So, the ³download > process² should be separated from the ³anonymous user² context. > > Set up two users: one for the IIS anonymous user, and one for the download > process. The IIS user has READ rights only to the directory and explicit deny > WRITE rights. The download process has WRITE only rights to the directory. > Both users explicitly have DENY EXECUTE rights. > > Client user requests PDF that does not exist. IIS user calls to RUNAS job > under creds of ³process² job, passing it the URL for the fie. The process user > calls for a download of the PDF. From an ISA standpoint, there is an access > rule that allows the ³process² user to download PDF content from only the > internet host system, followed by a DENY ALL rule for that user to cover > anything else. The process writes the file to the shared directory. The IIS > user can then pass the file to the client user with READ rights. > > This way, the IIS user can only READ, and the ³process² user can only WRITE, > and neither can EXECUTE. ISA can limit what the ³process² user can download > and from where, and you don¹t have to worry about exploits against the IIS > user. Even if the IIS user is compromised and the ³process² user¹s creds > exposed, the attacker could only download PDF¹s from the approved host. > Further, you can use Group Policy to explicitly deny network access to the > rest of the network for the ³process² user as you will know that all of that > user¹s access is local to the IIS box, and this gives you added security. > Same for the IIS user. > > Is this along the lines of the solution you were looking for? > > t > > > > > On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > There is no way for ISA to determine the original source of content (regardles > of file type) delivered via an HTTP stream. A file JoeBobAlooba sends you a > file from his desktop looks exactly the same as one he pulled it from a remote > share. Unless the server / client applications define it in some way, there > is no such context as "file properties" or "originator" in HTTP other than a > "referer" header and this only erfers to the site that sent JoeBobAlooba to > your site. > Even then, there is no way to define "block all except" in HTTP signatures - > it's "block this" only. > > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists) > Sent: Thu 9/21/2006 6:18 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: How to on ISA 2006 > > ASP. Website is on an internal server. ISA is ISA only. > > > John T > eServices For You > > "Seek, and ye shall find!" > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) > Sent: Thursday, September 21, 2006 4:29 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: How to on ISA 2006 > > Can you give more information about the process doing the downloading? .NET or > ASP based? The ISA box is not the same box, right? > > t > > > On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh to > all: > This is a new one for me but I am sure ISA can do this but I need pointers in > the director of how to. > > Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS > anonymous user is a domain account properly configured. > > There will be a function of a sub-site of the company website (forced SSL) > that will return and display information as a result set for a part search. > Part of that displayed information will be a web button displayed that if > there is a PDF document available for specs for that part will either A) open > the PDF in a new window if the document exists on the data share on the local > server or B) if the PDF document does not exist on the data share of the local > server retrieve it from the 3rd party master data store on the Internet and > add (write) it to the data share of the local server and then display it in a > new window. > > The concern is to ensure that only PDF documents from that 3rd party master > data store on the Internet can be added (written) to the data share of the > local server since the anonymous user for the site will have write permission > for that directory. > > What can be done on the ISA server to prevent writing to the data share except > for PDF documents from that 3rd party master data store? > > John T > eServices For You > > "Seek, and ye shall find!" > > > > All mail to and from this domain is GFI-scanned. > > > > >